The designer will ensure the application removes authentication credentials on client computers after a session terminates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6153	APP3430	SV-6153r1_rule	IAIA-1 IAIA-2	High

Description
Leaving authentication credentials stored at the client level allows potential access to session information that can be used by subsequent users of a shared workstation and could also be exported and used on other workstation providing immediate unauthorized access to the application.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3032r1_chk )
Persistent cookies are the primary means by which an application stores authentication information over more than one browser session. If the application is a web-based application, verify that Internet Explorer (IE) is set to warn the user before accepting a cookie. Logon to the application and perform several standard operations, noting if the application ever prompts the user to accept a cookie. Log out, close the browser and check the /Windows/cookies, /Windows/profiles/xyz/cookies, and the /documents and settings/xyz/cookies directories (where xyz is replaced by the Windows user profile name). If a cookie has been placed in either of these directories, open it (using Notepad or another text editor) and search for identification or authentication data that remain after to check for sensitive application data. 1) If authentication credentials exist (e.g., a password), this is a CAT I finding. 2) If identification information (e.g., user name, ID, or key properties) exists, but is not accompanied by authentication credentials such as a password, this is a CAT II finding. The application may use means other than cookies to store user information. If the reviewer detects an alternative mechanism for storing I&A information locally, examine the credentials found. 3) If authentication data (e.g., a password) is found, this is a CAT I finding. 4) If identification information is found (e.g., user name, ID, or key properties) but is not accompanied by authentication credentials such as a password, this is a CAT II finding. 5) If the application will initiate additional sessions without requiring authentication after logging out of the application, this is a CAT I finding. Web applications using autocomplete can be setup to store passwords and sensitive data. Many operating systems centrally control the autocomplete feature and it should be disabled. Workstations that do not have this feature disabled by default have the risk of storage of password information and sensitive information. Examples include public kiosks and home workstations connecting to the NIPRNet where this feature may be disabled. View the html pages that contain password and sensitive information to determine if autocomplete feature has been turned off. Example form html: Autocompletes are explained further at the Microsoft website. http://msdn.microsoft.com/en-us/library/ms533486(VS.85).aspx 6) If the application is configured to allow autocomplete for passwords, this is a CAT I finding. 7) If the application is configured to allow for sensitive information fields, this is a CAT II finding.

Check Text ( C-3032r1_chk )

Persistent cookies are the primary means by which an application stores authentication information over more than one browser session. If the application is a web-based application, verify that Internet Explorer (IE) is set to warn the user before accepting a cookie. Logon to the application and perform several standard operations, noting if the application ever prompts the user to accept a cookie. Log out, close the browser and check the /Windows/cookies, /Windows/profiles/xyz/cookies, and the /documents and settings/xyz/cookies directories (where xyz is replaced by the Windows user profile name). If a cookie has been placed in either of these directories, open it (using Notepad or another text editor) and search for identification or authentication data that remain after to check for sensitive application data.

1) If authentication credentials exist (e.g., a password), this is a CAT I finding.

2) If identification information (e.g., user name, ID, or key properties) exists, but is not accompanied by authentication credentials such as a password, this is a CAT II finding.

The application may use means other than cookies to store user information. If the reviewer detects an alternative mechanism for storing I&A information locally, examine the credentials found.

3) If authentication data (e.g., a password) is found, this is a CAT I finding.

4) If identification information is found (e.g., user name, ID, or key properties) but is not accompanied by authentication credentials such as a password, this is a CAT II finding.

5) If the application will initiate additional sessions without requiring authentication after logging out of the application, this is a CAT I finding.

Web applications using autocomplete can be setup to store passwords and sensitive data. Many operating systems centrally control the autocomplete feature and it should be disabled. Workstations that do not have this feature disabled by default have the risk of storage of password information and sensitive information. Examples include public kiosks and home workstations connecting to the NIPRNet where this feature may be disabled.

View the html pages that contain password and sensitive information to determine if autocomplete feature has been turned off.

Example form html:

Fix Text (F-17076r1_fix)
Modify the application to remove authentication credentials on workstations after a session terminates.